Configuring PHP for Security

You may be able to add an additional security boost to your PHP applications by properly configuring your PHP runtime environment settings. You can edit the directives below from the User Interface by going to Configurations | PHP.

Tip:

To search for a directive, just enter the name of the directive in the search box in the Action bar .

Important:

Changing some of these settings may cause certain PHP Applications to stop functioning. Therefore, use discretion while disabling them and test you environment - it is important that you fully understand the purpose of each directive before modifying it.

Optimal php.ini configurations and settings for maximum security protection from external threats:

Name

Default

Optimal Value

Description

disable_functions

 

 

This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in the php.ini file: For example, you cannot set this in httpd.conf.

disable_classes

 

 

This directive allows you to disable certain classes for security reasons. It takes on a comma-delimited list of class names. The disable_classes  directive is not affected by Safe Mode. This directive must be set in php.ini: For example, you cannot set this in httpd.conf.

magic_qotes_gpc

0

0

Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quotes), " (double quotes), \ (backslash) and NULLs are escaped with a backslash, automatically.

allow_url_include

0

0

This option allows the use of URL-aware fopen wrappers with the following functions: include(), include_once(), require(), require_once().

Note: This setting requires that  allow_url_fopen be set to On.

expose_php

1

0

 

Decides whether PHP may expose the fact that it is installed on the server (e.g., by adding its signature to the Web server header). It is no security threat in any way, but it makes it possible to determine whether you use PHP on your server or not.

display_errors

1

0

This determines whether errors should be printed to the screen as part of the output or if they should be hidden from the user.

Value "stderr" sends the errors to stderr instead of stdout.

Note: This is a feature to support your development and should never be used on production systems (e.g., systems connected to the Internet).

Note: Although display_errors may be set at runtime (with ini_set()), it won't have any affect if the script has fatal errors. This is because the desired runtime action does not get executed.

register_globals

0

0

Whether or not to register the EGPCS (Environment, GET, POST, Cookie, Server) variables as global variables.

Relying on this feature is highly discouraged. Please read the security chapter in the PHP manual on Using register_globals for related information.

Note: register_globals is affected by the variables_order directive.

Tip:

Do you want to learn more about securing your PHP ?
Why don't you take a look at our Security Training.